Package:OpenSSH

Default Installation

By default login is allowed for all users via the ssh daemon on port 22 with any valid username and password combination.

Funtoo uses the OpenSSH daemon to provide the SSH service by default. sshd is a member of OpenRC's default runlevel.

Service configuration

There are 2 means of configuring sshd. The first is required, the second is optional.

sshd reads its configuration data from /etc/ssh/sshd_config by default.

sshd may be configured to use PAM.Permission may be granted or denied via PAM, allowing you to store usernames etc. using text files.

User Authentication

There are various means of authenticating a client, to identify to the daemon which you want it to use, you must use the AuthenticationMethods directive. This directive is followed by one or more comma separated lists of authentication method names. Successful authentication requires completion of every method in at least one of these lists.

publickey

publickey password

keyboard-interactive

These options are only available for SSH protocol 2. The default is not to require multiple authenticaion.

Password authenticationThis is enabled by default, it is configured using the PasswordAuthentication directive. Valid parameters are yes or no.When PasswordAuthentication yes is configured, the state of the PermitEmptyPasswords directive is evaluated.

Public key authentication

Host-based authentication

Password authentication using sshd_config

The following 4 directives are listed in order of evaluation by OpenSSH. They are configured directly; within sshd_config. Only user or group _names_ are valid, numerical IDs are not recognized. If the pattern takes the form USER@HOST then access is restricted to the USER when originating from the HOST.

DenyUsers PATTERN PATTERN ...

Login is forbidden for users whose username matches one of the patterns

AllowUsers PATTERN PATTERN ...

Login is permitted to users whose username matches one of the patterns

DenyGroups PATTERN PATTERN ...

Login is forbidden for users whose primary group or supplementary group list matches one of the patterns

AllowGroups PATTERN PATTERN ...

Login is permitted to users whose primary group or supplementary group list matches one of the patterns

Public key authentication

AuthorizedKeysFileAuthorizedKeysCommandAuthorizedKeysCommandUser

Host based authentication

Access control

Controlling root access

Access by the root user can be controlled using the PermitRootLogin directive.

Permit empty passwords

Access to accounts with empty (i.e. blank) passwords can be controlled using the PermitEmptyPasswords directive.